---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'RCE Vulnerabilities in Atlassian Products'
version: '1.0'
number: '2023-052'
original_date: 'July 18, 2023'
date: 'July 24, 2023'
---

_History:_

* _24/07/2023 --- v1.0 -- Initial publication_

# Summary

On July 18, 2023, Atlassian has released its Security Bulletin [1] for July 2023 to address vulnerabilities (RCE) in Confluence Data Center & Server (**CVE-2023-22505** and **CVE-2023-22508**) and Bamboo Data Center (**CVE-2023-22506**). An attacker can exploit these vulnerabilities to take control of an affected system.

# Technical Details

**CVE-2023-22505**: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [2].

**CVE-2023-22508**: This RCE (Remote Code Execution) vulnerability, with a CVSS score of 8.5 out of 10, allows an authenticated attacker to execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [4].

**CVE-2023-22506**: This code injection and RCE (Remote Code Execution) vulnerability, with a CVSS score of 7.5 out of 10, allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has a high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction [3]


# Affected Products

- CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server [2].

- CVE-2023-22508 was introduced in version 7.4.0 of Confluence Data Center & Server [4].

- CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center [3].

# Recommendations

CERT-EU recommends reviewing the latest Atlassian security bulletin and apply the necessary updates [1].

# References

[1] <https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html>

[2] <https://jira.atlassian.com/browse/CONFSERVER-88265>

[3] <https://jira.atlassian.com/browse/BAM-22400>

[4] <https://jira.atlassian.com/browse/CONFSERVER-88221>